.TH RADCRYPT 8
.SH NAME
radcrypt - generate password hash for use with radius, or validates a password hash
.SH SYNOPSIS
.B radcrypt
.RB [ \-d | --des ]
.RB [ \-m | --md5 ]
.RB [ \-c | --check ]
\fIplaintext_password\fP [\fIhashed_password\fP]
.SH DESCRIPTION
\fBradcrypt\fP generates a hashed digest of a plaintext password, or can
validate if a password hash matches a plaintext password. When generating 
a password hash a random salt is generated and applied. \fBradcrypt\fP only
currently supports the older DES and MD5 hashes.
.PP
Current best practice is to use certificate-based authentication rather than 
relying on passwords. However, other external tools such as openssl can generate
high quality hashed and salted passwords if needed, e.g. "echo -n 'password' | 
openssl dgst -sha512". Although more modern hashes such as bcrypt, SSHA3, and SSHA2
are not supported by radcrypt, hashes are supported in the server by rlm_pap(5).
.PP
A hashed password can be validated by specifying \fI-c\fP or \fI--check\fP and
passing \fIhashed_password\fP after \fIplaintext_password\fP on the command line.
In this case \fIhashed_password\fP will be checked to see if it matches
\fIplaintext_password\fP. If so "Password OK" will be printed and the exit
status will be 1, otherwise "Password BAD" will be printed and exit status
will be 0 (Note this is the opposite of a normal successful shell status).

.SH OPTIONS

.IP "\-d --des"
Use a DES (Data Encryption Standard) hash (default).
Ignored if performing a password check.
.IP "\-m --md5"
Use a MD5 (Message Digest 5) hash.
Ignored if performing a password check.
.IP "\-c --check"
Perform a validation check on a password hash to verify if it matches
the plaintext password.

.SH EXAMPLES
.nf
$ radcrypt foobar
HaX0xn7Qy650Q
$ radcrypt \-c foobar HaX0xn7Qy650Q
Password OK
.fi
.SH SEE ALSO
radiusd(8), crypt(3)
.SH AUTHORS
Miquel van Smoorenburg <miquels@cistron-office.nl>
